Heads‑Up: Cathay Pacific’s Five‑Month Delay on a Big Data Breach
Yesterday’s shocker hit Hong Kong’s flight hub, Cathay Pacific, when it finally spilled the beans about a cyber‑stroll through its systems that nabbed the information of roughly 9.4 million travelers. The airline’s delay—five whole months—has everyone grumbling, from boardroom floors to the parliament floor.
The timeline that gets people fuming
- March: Suspicious traffic caught on Cathay’s network.
- May: Confirmation that riders’ data had been poked by unauthorized hands.
- Late Oct: Official acknowledgment and public outcry.
Chief customer and commercial officer Paul Loo defended the wait by saying the airline wanted to get a crystal‑clear picture before shouting the bombshell. He added it was “not to create unnecessary panic.”
But politicians weren’t buying the narrative—Charles Mok slammed the delay as a slap in the face to victims; Elizabeth Quat called it “unacceptable.” And so the question became: Should the airline have acted sooner?
What data got in on the front pass?
- 860,000 passport numbers
- 245,000 Hong Kong ID card numbers
- 403 expired credit card numbers
- 27 credit card numbers with no CVV
- Names, nationalities, birthdays, phone numbers, emails, and addresses
CEO Rupert Hogg reassured busy travelers that although no passwords or full loyalty profiles got gawked at, “We have no evidence that any personal data has been misused.”
Yet, as Mok pointed out, that level of confidence might be just a polite shrug. He urged people to know exactly how Cathay proves no data got tampered with—because a statement alone doesn’t equal safety.
Under EU rules it’s a breach‑reporting race
In the European Union, the new General Data Protection Regulation says a breach must be reported within 72 hours. Not following that rule is like showing up late to a party—you’re basically invited to the after‑party.
Hong Kong’s watchdog steps in
Privacy commissioner Stephen Wong voiced “serious concern” and vowed to audit Cathay’s compliance. He reminded companies that they shouldn’t just meet the bare minimum normative tick—after all, customers expect more than a rubber stamp.
Cathay’s fallout and the bigger picture
Q: How does a breach affect a struggling airline?
A: Aside from the customer backlash, the airline already bears the weight of first-annual loss in its 70‑year history, staff cuts (600 employees, a quarter of management), and stiff competition from Chinese low‑cost carriers and Middle‑East rivals. And yet, the sector has bright spots—higher fares, cargo rates—and the company hopes for a smoother second half.
Wrap‑up: The hack, by the way, followed British Airways’ earlier spectacular mishap of stolen credit card data. Two weeks of frenzy for BA; five months of mumbled silence for Cathay. Which one earns the title of “worst timing” in cyber‑land? You decide.
